CVE-2026-45659

HIGH KEV

Microsoft SharePoint Remote Code Execution Vulnerability

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-45659 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 1, 2026. EIP tracks 6 public exploits from researchers including SecureWithUmer, amnsecurity, jenniferreire26.

AI-analyzed exploit summary The repository claims to provide an exploit for CVE-2026-45659, a SharePoint deserialization RCE, but instead of including functional code, it links to an external download (tinyurl) and uses vague marketing language without technical depth in the provided README.

Description

Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.

Exploits (6)

github SUSPICIOUS
by SecureWithUmer · c++poc
https://github.com/SecureWithUmer/CVE-2026-PoCs/tree/main/2026/CVE-2026-45659

The repository claims to provide an exploit for CVE-2026-45659, a SharePoint deserialization RCE, but instead of including functional code, it links to an external download (tinyurl) and uses vague marketing language without technical depth in the provided README.

Classification
Suspicious 98%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Unknown
Target: Microsoft SharePoint Server 2019/2022/Subscription Edition (on-prem)
Auth required
Prerequisites: Valid low-privilege credentials (Site Member) · Target list with editable items
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WORKING POC
by amnsecurity · pythonpoc
https://github.com/amnsecurity/CVE-2026-45659-SharePoint-RCE

This repository contains a functional exploit for CVE-2026-45659, a deserialization vulnerability in Microsoft SharePoint Server (2019/2022/Subscription Edition) that allows authenticated low-privilege users (Site Member) to achieve remote code execution via unsafe deserialization in the SPListItem.Update() method using LosFormatter.Deserialize.

Classification
Working Poc 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Microsoft SharePoint Server 2019, SharePoint Server 2022, SharePoint Subscription Edition (pre-May 2026)
Auth required
Prerequisites: Authenticated access with Site Member privileges · Access to a SharePoint list with editable items · Network access to the SharePoint server
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github SUSPICIOUS
by jenniferreire26 · poc
https://github.com/jenniferreire26/CVE-2026-45659

The repository lacks actual exploit code and instead directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits. The README provides minimal technical details about the vulnerability.

Classification
Suspicious 95%
Attack Type
Deserialization
Complexity
Theoretical
Reliability
Theoretical
Target: Microsoft Office SharePoint (versions before 16.0.19725.20280, 2016, 2019)
Auth required
Prerequisites: authorized access to SharePoint
mistral-large-3 · analyzed Jun 09, 2026 Full analysis →
github SUSPICIOUS
by daniel30padd · poc
https://github.com/daniel30padd/CVE-2026-45659

The repository claims to provide an exploit for CVE-2026-45659, a deserialization vulnerability in Microsoft Office SharePoint, but lacks actual exploit code. Instead, it directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits.

Classification
Suspicious 95%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft Office SharePoint (versions before 16.0.19725.20280, 2016, 2019)
Auth required
Prerequisites: Python 3.9 · network access to target SharePoint server
mistral-large-3 · analyzed Jun 01, 2026 Full analysis →
github SUSPICIOUS
by mistbarbarianspot · poc
https://github.com/mistbarbarianspot/CVE-2026-45659-SharePoint-RCE

The repository claims to exploit a SharePoint deserialization RCE but lacks actual exploit code, instead redirecting to an external tinyurl link. The README provides technical details but no functional PoC.

Classification
Suspicious 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Microsoft SharePoint Server 2019/2022/Subscription Edition
Auth required
Prerequisites: Authenticated low-priv user (Site Member) · Target list with editable items
mistral-large-3 · analyzed May 27, 2026 Full analysis →
github STUB
by HORKimhab · poc
https://github.com/HORKimhab/CVE-2026-45659

The repository contains only placeholder files (README.md, LICENSE, .gitignore, cve-id-template.txt) with no actual exploit code or technical details about CVE-2026-45659. The README is a generic template with no specific information about the vulnerability.

Classification
Stub 95%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
mistral-large-3 · analyzed May 27, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory patch
Microsoft SharePoint Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659

Scores

CVSS v3 8.8
EPSS 0.0322
EPSS Percentile 86.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2026-07-01
VulnCheck KEV 2026-07-01
ENISA EUVD EUVD-2026-31518
CWE
CWE-502
Status published
Products (6)
Microsoft/Microsoft SharePoint Enterprise Server 2016 16.0.0 - 16.0.5552.1002
Microsoft/Microsoft SharePoint Server 2019 16.0.0 - 16.0.10417.20128
Microsoft/Microsoft SharePoint Server Subscription Edition 16.0.0 - 16.0.19725.20280
microsoft/sharepoint_server 2016
microsoft/sharepoint_server 2019
microsoft/sharepoint_server < 16.0.19725.20280
Published May 22, 2026
KEV Added Jul 01, 2026
Tracked Since May 23, 2026